chore: sign update messages before sending

Author: pcarranzav

packages/hypergraph-react/src/HypergraphAppContext.tsx

@@ -4,6 +4,7 @@ import * as automerge from '@automerge/automerge';
 import { uuid } from '@automerge/automerge';
 import { RepoContext } from '@automerge/automerge-repo-react-hooks';
 import { Identity, Key, Messages, SpaceEvents, type SpaceStorageEntry, Utils, store } from '@graphprotocol/hypergraph';
+import { canonicalize } from '@graphprotocol/hypergraph/utils/jsc';
 import { useSelector as useSelectorStore } from '@xstate/store/react';
 import { Effect, Exit } from 'effect';
 import * as Schema from 'effect/Schema';
@@ -469,6 +470,11 @@ export function HypergraphAppProvider({
       console.error('No encryption private key found');
       return;
     }
+    const signaturePrivateKey = keys?.signaturePrivateKey;
+    if (!signaturePrivateKey) {
+      console.error('No signature private key found.');
+      return;
+    }
 
     const onMessage = async (event: MessageEvent) => {
       const data = Messages.deserialize(event.data);
@@ -560,17 +566,13 @@ export function HypergraphAppProvider({
 
                 const ephemeralId = uuid();
 
-                const nonceAndCiphertext = Messages.encryptMessage({
-                  message: lastLocalChange,
-                  secretKey: Utils.hexToBytes(space.keys[0].key),
-                });
-
-                const messageToSend = {
-                  type: 'create-update',
+                const messageToSend = Messages.signedUpdateMessage({
                   ephemeralId,
-                  update: nonceAndCiphertext,
                   spaceId: space.id,
-                } as const satisfies Messages.RequestCreateUpdate;
+                  message: lastLocalChange,
+                  secretKey: space.keys[0].key,
+                  signaturePrivateKey,
+                });
                 websocketConnection.send(Messages.serialize(messageToSend));
               } catch (error) {
                 console.error('Error sending message', error);
@@ -664,7 +666,7 @@ export function HypergraphAppProvider({
     return () => {
       websocketConnection.removeEventListener('message', onMessage);
     };
-  }, [websocketConnection, spaces, keys?.encryptionPrivateKey]);
+  }, [websocketConnection, spaces, keys?.encryptionPrivateKey, keys?.signaturePrivateKey]);
 
   const createSpaceForContext = async () => {
     if (!accountId) {

packages/hypergraph/src/messages/index.ts

@@ -1,4 +1,5 @@
 export * from './decrypt-message.js';
 export * from './encrypt-message.js';
 export * from './serialize.js';
+export * from './signed-update-message.js';
 export * from './types.js';

packages/hypergraph/src/messages/signed-update-message.ts

@@ -0,0 +1,43 @@
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { canonicalize, hexToBytes, stringToUint8Array } from '../utils/index.js';
+import { encryptMessage } from './encrypt-message.js';
+import type { RequestCreateUpdate } from './types.js';
+
+interface Params {
+  ephemeralId: string;
+  spaceId: string;
+  message: Uint8Array;
+  secretKey: string;
+  signaturePrivateKey: string;
+}
+
+export const signedUpdateMessage = ({
+  ephemeralId,
+  spaceId,
+  message,
+  secretKey,
+  signaturePrivateKey,
+}: Params): RequestCreateUpdate => {
+  const update = encryptMessage({
+    message,
+    secretKey: hexToBytes(secretKey),
+  });
+
+  const messageToSign = stringToUint8Array(
+    canonicalize({
+      ephemeralId,
+      update,
+      spaceId,
+    }),
+  );
+
+  const signature = secp256k1.sign(messageToSign, hexToBytes(signaturePrivateKey), { prehash: true }).toCompactHex();
+
+  return {
+    type: 'create-update',
+    ephemeralId,
+    update,
+    spaceId,
+    signature,
+  };
+};

packages/hypergraph/src/messages/types.ts

@@ -86,6 +86,7 @@ export const RequestCreateUpdate = Schema.Struct({
   update: Schema.Uint8Array,
   spaceId: Schema.String,
   ephemeralId: Schema.String, // used to identify the confirmation message
+  signature: Schema.String,
 });
 
 export const RequestMessage = Schema.Union(